通过模板创建 DLP 策略Create a DLP policy from a template

开始使用 DLP 策略的最简单、最常见方法是,使用包含在 Office 365 中的模板之一。The easiest, most common way to get started with DLP policies is to use one of the templates included in Office 365. 您可以按如下状态使用这些模板之一,或自定义规则以满足组织的特定合规性要求。You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements.

Microsoft 365包括 40 多个现成的模板,可帮助你满足各种常见法规和业务策略需求。Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. 例如,提供适用于以下法规的 DLP 策略模板:For example, there are DLP policy templates for:

  • 格雷姆-里奇-比利雷法案 (GLBA)Gramm-Leach-Bliley Act (GLBA)

  • 支付卡行业数据安全标准 (PCI-DSS)Payment Card Industry Data Security Standard (PCI-DSS)

  • 美国个人身份信息(美国 PII)United States Personally Identifiable Information (U.S. PII)

  • 美国健康保险法案 (HIPAA)United States Health Insurance Act (HIPAA)

您可以通过修改任何现有的规则或添加新规则来微调模板。例如,您可以将新的敏感信息类型添加到规则中,以及修改规则中的计数以使其更难以触发或更易于触发,使用户通过提供业务理由替代规则中的操作,或更改要向其发送通知和事件报告的用户。对于许多常见的合规性方案来说,DLP 策略模板都是一个灵活的起点。You can fine tune a template by modifying any of the existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.

您还可以选择不带有任何默认规则的自定义模板,从头开始配置您的 DLP 策略以满足组织的特定合规性要求。You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.

示例:标识所有网站中的OneDrive for Business并限制组织外部人员的访问Example: Identify sensitive information across all OneDrive for Business sites and restrict access for people outside your organization

OneDrive for Business帐户使整个组织的人可以轻松协作和共享文档。OneDrive for Business accounts make it easy for people across your organization to collaborate and share documents. 但合规部官员的一个常见问题是,存储在OneDrive for Business的敏感信息可能会无意中与组织外部人员共享。But a common concern for compliance officers is that sensitive information stored in OneDrive for Business accounts may be inadvertently shared with people outside your organization. DLP 策略可以帮助降低此风险。A DLP policy can help mitigate this risk.

本示例将创建一个标识美国 PII 数据的 DLP 策略,其中包括个人纳税标识号 (ITIN) 、社会保险号和美国护照号。In this example, you'll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. 您将开始使用模板,然后修改该模板以满足组织的合规性要求,具体来说,您将:You'll get started by using a template, and then you'll modify the template to meet your organization's compliance requirements—specifically, you'll:

  • 添加几种类型的敏感信息(美国的银行帐号和美国驾驶证号码)以便 DLP 策略保护更多敏感数据。Add a couple of types of sensitive information—U.S. bank account numbers and U.S. driver's license numbers—so that the DLP policy protects even more of your sensitive data.

  • 使策略更为敏感,以便敏感信息出现一次就足以限制外部用户访问。Make the policy more sensitive, so that a single occurrence of sensitive information is enough to restrict access for external users.

  • 允许用户通过提供业务理由或报告误报来替代这些操作。Allow users to override the actions by providing a business justification or reporting a false positive. 这样,DLP 策略不会阻止组织人员完成工作,只要他们共享敏感信息有有效的业务原因。This way, your DLP policy won't prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.

通过模板创建 DLP 策略Create a DLP policy from a template

  1. 转到 https://protection.office.comGo to https://protection.office.com.

  2. 使用工作或学校帐户进行登录。Sign in using your work or school account. 现在,你已位于安全 & 与合规中心。You're now in the Security & Compliance Center.

  3. 在安全 & 与合规中心 > 左侧导航 > 中,数据丢失防护 > 策略 > + 创建策略In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.

    创建策略按钮

  4. Choose the DLP policy template that protects the types of sensitive information that you need > Next.Choose the DLP policy template that protects the types of sensitive information that you need > Next.

    本示例将选择"隐私美国个人身份信息 > " (PII) Data, 因为它已包含要保护的敏感信息大部分类型,稍后将添加几种类型的敏感信息。In this example, you'll select Privacy > U.S. Personally Identifiable Information ‎(PII)‎ Data because it already includes most of the types of sensitive information that you want to protect—you'll add a couple later.

    选择模板时,可以阅读右侧说明,了解模板保护的敏感信息类型。When you select a template, you can read the description on the right to learn what types of sensitive information the template protects.

    用于选择 DLP 策略模板的页面

  5. 将策略名称为 > "下一步"。Name the policy > Next.

  6. 若要选择希望 DLP 策略保护的位置,请执行下列操作之一:To choose the locations that you want the DLP policy to protect, do one of the following:

  • Choose All locations in Office 365 > Next.Choose All locations in Office 365 > Next.

  • Choose Let me choose specific locations > Next.Choose Let me choose specific locations > Next. 对于此示例,选择此。For this example, choose this.

    若要包含或排除整个位置(如所有Exchange或所有OneDrive帐户),请打开或关闭该位置的"状态"。To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off.

    若要仅包含SharePoint或OneDrive for Business帐户,请切换到"状态",然后单击"包含"下的链接以选择特定网站或帐户。 To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts. 将策略应用到网站后,该策略中配置的规则将自动应用到该网站的所有子网站。When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

    DLP 策略可以在其中应用的位置选项

    本示例中,若要保护存储在所有 OneDrive for Business 帐户的敏感信息,请同时关闭 Exchange 电子邮件和 SharePoint 网站的"状态",并保留 OneDrive 帐户的"状态 "。In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the Status for both Exchange email and SharePoint sites, and leave the Status on for OneDrive accounts.

  1. 选择 "使用高级设置"" > 下一步"。Choose Use advanced settings > Next.

  2. DLP 策略模板包含预定义的规则,这些规则具有对特定敏感信息类型进行检测和操作的条件与操作。A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. 可以编辑、删除或关闭任何现有规则,也可以添加新规则。You can edit, delete, or turn off any of the existing rules, or add new ones. 完成后,单击"下一 步"。When done, click Next.

    在美国 PII 策略模板中扩展的规则

    本示例中,美国 PII 数据模板包括两个预定义规则:In this example, the U.S. PII Data template includes two predefined rules:

  • 检测到美国 PII 的内容量较低 此规则查找包含三种类型的敏感信息(ITIN、SSN 和美国护照号 ()1 到 10 次之间的文件) ,其中这些文件与组织外部人员共享。Low volume of content detected U.S. PII This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. 如果找到,该规则会向网站集主管理员、文档所有者和上次修改文档的人发送电子邮件通知。If found, the rule sends an email notification to the primary site collection administrator, document owner, and person who last modified the document.

  • 检测到大量美国 PII 的内容 此规则查找包含相同三种敏感信息类型(其中文件与组织外部人员共享)出现次数为 10 次或更多的文件。High volume of content detected U.S. PII This rule looks for files containing 10 or more occurrences of each of the same three sensitive information types, where the files are shared with people outside the organization. 如果找到,此操作还会发送电子邮件通知,并限制对文件的访问。If found, this action also sends an email notification, plus it restricts access to the file. 对于网站OneDrive for Business中的内容,这意味着除网站集主管理员、文档所有者和上次修改文档的人之外,所有人都只能拥有对文档的权限。For content in a OneDrive for Business account, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document.

    为了满足组织的特定要求,您可能需要使规则更易于触发,以便敏感信息出现一次就足以阻止外部用户访问。To meet your organization's specific requirements, you may want to make the rules easier to trigger, so that a single occurrence of sensitive information is enough to block access for external users. 查看这些规则后,您了解到不需要低计数和较高的计数规则,只需一个规则,当发现出现任何敏感信息时阻止访问。After looking at these rules, you understand that you don't need low and high count rules—you need only a single rule that blocks access if any occurrence of sensitive information is found.

    因此,您扩展了名为 "低量检测到 美国 PII 删除规则" > 的规则So you expand the rule named Low volume of content detected U.S. PII > Delete rule.

    删除规则按钮

  1. 现在,在此示例中,你需要添加两个敏感信息类型 (美国银行帐号和美国驾驶证号码) ,允许用户替代规则,将计数更改为任何事件。Now, in this example, you need to add two sensitive information types (U.S. bank account numbers and U.S. driver's license numbers), allow people to override a rule, and change the count to any occurrence. 您可以通过编辑一个规则来执行所有这些操作,因此请选择"检测到大量美国 PII 编辑 > 规则"。You can do all of this by editing one rule, so select High volume of content detected U.S. PII > Edit rule.

    编辑规则按钮

  2. 若要添加敏感信息类型,在条件部分 > 添加或更改类型To add a sensitive information type, in the Conditions section > Add or change types. 然后,在"添加或更改类型"下,选择"添加",选择"美国银行帐号"和"美国驾驶 > > 证号码 添加 > 完成 > "。Then, under Add or change types > choose Add > select U.S. Bank Account Number and U.S. Driver's License Number > Add > Done.

    用于添加或更改类型的选项

    "添加或更改类型"窗格

  3. 若要更改计数 (触发规则) 所需的敏感信息实例数,请在"实例计数"下,选择每种类型的最小值输入 > > 1。To change the count (the number of instances of sensitive information required to trigger the rule), under Instance count > choose the min value for each type > enter 1. 最小计数不能为空。The minimum count cannot be empty. 最大计数可以为空;将空 的最大值 转换为 任意The maximum count can be empty; an empty max value convert to any.

    完成后,所有敏感信息类型的最小值计数应为 1, 最大值计数 应为任意When finished, the min count for all of the sensitive information types should be 1 and the max count should be any. 换句话说,任何出现此类敏感信息的情况都将满足此条件。In other words, any occurrence of this type of sensitive information will satisfy this condition.

    敏感信息类型的实例计数

  4. 对于最终自定义,您不希望 DLP 策略在具有有效的业务理由或遇到误报时阻止用户执行他们的工作,因此您希望用户通知包括用于替代阻止操作的选项。For the final customization, you don't want your DLP policies to block people from doing their work when they have a valid business justification or encounter a false positive, so you want the user notification to include options to override the blocking action.

    "用户通知 "部分,可以看到默认在模板中为此规则打开电子邮件通知和策略提示。In the User notifications section, you can see that email notifications and policy tips are turned on by default for this rule in the template.

    "用户替代 "部分,可以看到业务理由替代功能已打开,但报告误报的重写未启用。In the User overrides section, you can see that overrides for a business justification are turned on, but overrides to report false positives are not. 如果用户 将规则报告为误报,则选择"自动替代规则"。Choose Override the rule automatically if they report it as a false positive.

    "用户通知"部分和"用户替代"部分

  5. 在规则编辑器的顶部,将此规则的名称从默认"检测到美国 PII 的高量内容"更改为"任何检测到使用美国 PII 的内容",因为它现在由任何敏感信息类型触发。At the top of the rule editor, change the name of this rule from the default High volume of content detected U.S. PII to Any content detected with U.S. PII because it's now triggered by any occurrence of its sensitive information types.

  6. 在规则编辑器底部保存 > 。At the bottom of the rule editor > Save.

  7. Review the conditions and actions for this rule > Next.Review the conditions and actions for this rule > Next.

    在右侧,注意规则的 Status 开关。On the right, notice the Status switch for the rule. 如果关闭整个策略,则策略中包含的所有规则也将关闭。If you turn off an entire policy, all rules contained in the policy are also turned off. 但是,你可以在此处关闭特定规则,而无需关闭整个策略。However, here you can turn off a specific rule without turning off the entire policy. 当您需要调查生成大量误报的规则时,这一功能很有用。This can be useful when you need to investigate a rule that is generating a large number of false positives.

  8. On the next page, read and understand the following, and then choose whether to turn on the rule or test it out first > Next.On the next page, read and understand the following, and then choose whether to turn on the rule or test it out first > Next.

    在创建 DLP 策略之前,您应考虑逐步部署策略,在完全强制执行策略之前评估其影响,并测试其有效性。Before you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before you fully enforce them. 例如,您不希望新的 DLP 策略无意中阻止用户访问完成工作需要的数千个文档。For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require to get their work done.

    如果你创建的 DLP 策略具有较大的潜在影响,建议你按以下顺序执行操作:If you're creating DLP policies with a large potential impact, we recommend following this sequence:

  9. 在不使用策略提示的情况下启动测试模式,然后使用 DLP 报告评估影响。您可以使用 DLP 报告查看匹配策略的次数、位置、类型和严重性。根据结果,您可以在需要时微调规则。在测试模式下,DLP 策略不会影响您组织内的工作人员的工作效率。Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.

  10. 移动到使用通知和策略提示的测试模式,以便您可以开始向用户介绍合规性策略,让用户对将要应用的规则做好准备。在这一阶段,您还可以要求用户报告误报,便于您进一步优化规则。Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.

  11. 打开这些策略,以便强制执行规则并保护内容。Turn on the policies so that the rules are enforced and the content's protected. 继续监视 DLP 报告及任何事件报告或通知,确保结果是你所期望的。Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

    使用测试模式和启用策略的选项

  12. 查看此策略的设置,选择 > "创建 "。Review your settings for this policy > choose Create.

创建并启用 DLP 策略后,该策略将部署到它包括的任何内容源,例如 SharePoint Online 网站或 OneDrive for Business 帐户,其中策略开始自动对这些内容强制执行其规则。After you create and turn on a DLP policy, it's deployed to any content sources that it includes, such as SharePoint Online sites or OneDrive for Business accounts, where the policy begins automatically enforcing its rules on that content.

查看 DLP 策略的状态View the status of a DLP policy

您随时都可以在安全与合规中心的"数据丢失防护"部分中的"策略"页上查看DLP & 策略的状态。At any time, you can view the status of your DLP policies on the Policy page in the Data loss prevention section of the Security & Compliance Center. 您可以在此处找到以下重要信息,如策略是成功启用还是成功禁用,或者策略是否处于测试模式。Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode.

下面介绍了不同的状态及其含义。Here are the different statuses and what they mean.

状态Status 说明Explanation
正在启用...Turning on…
系统正在将策略部署到它所包含的内容源。策略尚未强制应用于所有源。The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.
测试并发送通知Testing, with notifications
策略处于测试模式。不会应用规则中的操作,但可以收集策略匹配项,并通过使用 DLP 报告进行查看。有关策略匹配项的通知会发送给指定的收件人。The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients.
测试但不发送通知Testing, without notifications
策略处于测试模式。不会应用规则中的操作,但可以收集策略匹配项,并通过使用 DLP 报告进行查看。有关策略匹配项的通知不会发送给指定的收件人。The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients.
OnOn
策略处于活动状态并且已强制应用。策略已成功部署到它的所有内容源。The policy is active and enforced. The policy was successfully deployed to all its content sources.
正在禁用...Turning off…
系统正在将策略从它包含的内容源中移除。策略可能仍处于活动状态并在某些源上强制应用。禁用策略可能需要 45 分钟。The policy is being removed from the content sources that it includes. The policy may still be active and enforced on some sources. Turning off a policy may take up to 45 minutes.
关闭Off
策略处于非活动状态且未强制应用。系统会保存策略的设置(源、关键字、持续时间等)。The policy is not active and not enforced. The settings for the policy (sources, keywords, duration, etc) are saved.
删除...Deleting…
系统正在删除策略。The policy is in the process of being deleted. 策略处于非活动状态且未强制应用。The policy is not active and not enforced. 通常需要一个小时,策略才删除It normally takes an hour for a policy to delet

禁用 DLP 策略Turn off a DLP policy

你随时都可以编辑或关闭 DLP 策略。You can edit or turn off a DLP policy at any time. 关闭策略会禁用策略中的所有规则。Turning off a policy disables all of the rules in the policy.

若要编辑或关闭 DLP 策略,请在"策略"页面上 > 选择策略"编辑 > 策略"。To edit or turn off a DLP policy, on the Policy page > select the policy > Edit policy.

"编辑策略"按钮

此外,您可以通过编辑该策略,然后切换该规则的 Status 来单独关闭每个规则,如上所述。 In addition, you can turn off each rule individually by editing the policy and then toggling off the Status of that rule, as described above.

更多信息More information